diff options
| author | Jo-Philipp Wich | 2022-09-01 10:11:44 +0000 |
|---|---|---|
| committer | Jo-Philipp Wich | 2022-09-01 10:19:14 +0000 |
| commit | f5fcdcf2c51f6f0a4b116c352000c4fe0523be77 (patch) | |
| tree | ff0a791db047212fac93b2e637823fbfda36014f | |
| parent | a540f6d5373217e60febd2d0bc0f585981e67917 (diff) | |
| download | firewall4-f5fcdcf2c51f6f0a4b116c352000c4fe0523be77.tar.gz | |
cli: introduce test mode and refuse firewall restart on errors
- Introduce a new `fw4 [-q] check` command which tests the rendered ruleset
using nftables' --check mode. This is useful to assert complex rulesets
using external includes for correctness.
- Extend the `fw4 restart` command to check the rendered ruleset before
flushing the existing ruleset.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
| -rwxr-xr-x | root/sbin/fw4 | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/root/sbin/fw4 b/root/sbin/fw4 index cf23e58..c3e95c2 100755 --- a/root/sbin/fw4 +++ b/root/sbin/fw4 @@ -108,9 +108,18 @@ case "$1" in flush ;; restart) + QUIET=1 print | nft ${VERBOSE} -c -f $STDIN || die "The rendered ruleset contains errors, not doing firewall restart." stop || rm -f $STATE start ;; + check) + if [ -n "$QUIET" ]; then + exec 1>/dev/null + exec 2>/dev/null + fi + + print | nft ${VERBOSE} -c -f $STDIN && echo "Ruleset passes nftables check." + ;; print) print ;; @@ -140,6 +149,12 @@ Usage: Print the rendered ruleset. + $0 [-q] check + + Test the rendered ruleset using nftables' check mode without + applying it to the running system. + + $0 [-q] network {net} Print the name of the firewall zone covering the given network. |